Get IPv6 Now with Freenet6

How to set up an IPv6-over-IPv4 tunnel and provide IPv6 networking to hosts behind a gateway.

IPv6 is the successor to our current
internet protocol, IPv4. It offers many new features, including a
vastly increased address space (128 bits of address vs. IPv4's
measly 32 bits), easier autoconfiguration and better support for
encryption. The Debian Project has done a good job of making its
distribution IPv6-ready. Here, I show you how to set up an
IPv6-over-IPv4 tunnel and provide IPv6 networking to hosts behind a
gateway using the free Freenet6 tunnel service and radvd. Note that
I'm assuming you're using Debian Woody (3.0) or unstable (SID) and
that you understand how to install packages through apt. I'm also
assuming you know a little bit about IPv6, such as what an address
looks like.

You'll need a publicly addressable IPv4 address on the
gateway you're using. The kernel on that gateway and any hosts you
want to connect also must support IPv6; Debian's standard kernels
support IPv6 by default. If you're not sure whether yours does,
check for a /proc/sys/net/ipv6 directory. Also, see if the output
of ifconfig contains any IPv6 addresses, such as
fe80::24f:49ff:fe07:2552. Make sure your firewall isn't blocking
IPv6 tunnel packets; IP protocol 41 (ipv6 over ipv4) must not be
blocked in either direction.

IPv6 tunneling will fail if you're behind a NAT router, but
the good news is that you don't need a static IPv4 address from
your service provider to have a static IPv6 address.

First of all, install the Freenet6 client software with apt.
The Debian package is called freenet6 and is available in Woody and
later releases. RPM and source packages are also available from
www.freenet6.net/download.shtml.
Once it's installed, Freenet6 automatically gets an IPv6 address
based on your existing IPv4 address; no configuration is
required.

The /etc/init.d/freenet6 script simply starts the tunneling
client, called Tunnel Setup Protocol Client (tspc). At this point,
if your IPv4 address changes, so does your IPv6 address. That's
right, simply by installing Freenet6, everything will work right
out of the box on most systems. However, we want to go a step
further; we want to get our own IPv6 subnet. To do this, we need a
user account.

Go to
www.freenet6.net, and
click on the “Create your account” link, which should be under
TSP Server on the left-hand menu. After filling in your user name
and e-mail address, you will get mail containing the password for
the user ID you requested.

Open /etc/freenet6/tspc.conf in your favorite editor. This
configuration file controls tspc and defaults to making an
anonymous connection. Find the user ID and password lines and
change their values to the ones in the e-mail. If you restart
Freenet6, run /etc/init.d/freenet6 restart and
stop here; you'll have a perfectly functional IPv6 setup with a
single static IPv6 address. If this is all you need, you can stop
reading right now.

Assuming you do need more, the next step is to request your
/48 prefix. Again, this is done by editing tspc.conf. Add the
following lines to the end of your tspc.conf file:

host_type=router
prefixlen=48
if_prefix=eth0

The if_prefix option controls which interface will be
regarded as your internal network. Freenet6 automatically enables
IPv6 forwarding between this interface and your Freenet6 tunnel. On
most setups, eth0 will be correct. However, you can change this as
required. For the rest of this article your internal network
interface will be referred to as eth0. If your setup uses another
interface, use that interface instead.

At this point, you can restart Freenet6; run
/etc/init.d/freenet6 restart to load the new
configuration. We're not going to be making any more changes to it.
If you run ifconfig after restarting, you'll
notice a new IPv6 address on eth0 in the form
XXXX:XXXX:XXXX:1::1/64. Freenet6 automatically has given eth0 this
new address from your /48 prefix. The XXXX:XXXX:XXXX part is the
network part of your /48 prefix. You may want to make this address
permanent by adding it to the eth0 section in
/etc/network/interfaces. This will allow other hosts to find your
gateway even if the Freenet6 software isn't running. To do this,
find the section for eth0, which should look something like
this:

Add these lines (replacing 3ffe:0b80:083b:1::1 with the
address Freenet6 assigned, without the /64 netmask) below:

iface eth0 inet6 static
address 3ffe:0b80:083b:1::1
netmask 64

Test this with ifdown eth0 and ifup
eth0. One trick: if you're doing this remotely and eth0
is the interface you're connecting through, you can avoid losing
your connection and having to walk to the actual computer you're
working on by chaining those two commands together with a
semicolon, ifdown eth0 ; ifup eth0. Your
intrepid author did exactly this over an SSH connection (my test
box is downstairs; I'm upstairs).

If everything's working fine up to this point, we can start
on the radvd setup. IPv6 has a lot more support for
autoconfiguration than IPv4. However, for this autoconfiguraton to
work, the routers of a network must answer the autoconfiguration
requests of the hosts. On Linux, the program to do this is called
radvd (Router ADVertisement Dæmon). The actual
autoconfiguration works by giving hosts new IPv6 addresses based on
the 64-bit network address and their hardware Ethernet address.
Hosts also are told what their default gateway should be. As with
Freenet6, there is a Debian package for radvd.

Once radvd is installed, we need to edit the /etc/radvd.conf
file. Debian's default configuration basically does nothing, so
replace the whole lot with:

The prefix should be set to the network and netmask on eth0.
For instance, if the IPv6 address Freenet6 assigned to eth0 is
3ffe:b80:83b:1::1/64, the prefix should be set to
3ffe:b80:83b:1::/64, which is the same as the IPv6 address only
minus the host part of the address (the :1). Once you've done that,
restart radvd.

After restarting, try running ifconfig on
IPv6 hosts attached to your internal network. You should notice a
new IPv6 address on the interface connected to your internal
network. For example, using the prefix above, one such address
might be 3ffe:b80:840:1:24f:49ff:fe07:2552/64. If no new address
appears, check /var/log/syslog on the system on which radvd is
running for errors; radvd does not log to the console.

To test your IPv6 connection, first try pinging something
with the ping6 program on both the gateway and a connected host.
You might find you don't have ping6 installed. If not, install the
iputils-ping package. Some hosts to try ping6-ing include
www.6bone.net and
www.kame.net. If this
isn't working, double-check that your firewall isn't blocking IPv6
packets. If this works, try connecting to
www.kame.net with lynx,
Mozilla or Konqueror. These browsers have IPv6 support in Debian
testing. If everything is working, there will be a dancing “kame”
at the top of the page and a little message at the bottom. If it
still says you're using IPv4, and the ping6 test worked fine,
double-check that you have the latest version of your web
browser.

Installing an IPv6 tunnel may open up security holes. While
IPv6 firewalling using iptables in 2.4.x kernels is possible, it is
beyond the scope of this article. You are
strongly advised to evaluate possible security
issues. One quick way to check whether any IPv6 services are being
opened up is to run the command netstat -l -A
inet6. This will show you open, listening IPv6 sockets.
If any are active, make sure it's okay for them to be publicly
available.

Congratulations! You're on the next-generation Internet. Now
that you have a basic IPv6, you will probably want to look into
IPv6-enabling services such as Web and e-mail. The Debian IPv6
Project is a good start to find patched versions of Debian
packages. While many client programs are already IPv6-compatible,
there are a lot of basic server dæmons, such as inetd,
apache, etc., that aren't in the mainstream Debian release. These
packages are easy to install; add a few lines to your APT
configuration, and run dist-upgrade. If you're
interested, go to
people.debian.org/~csmall/ipv6.

Peter Todd has
been using Linux since he was 14. When he's not messing around with
upcoming network protocols, he can be found at Woburn Collegiate
working on pottery and film arts projects. He can be contacted at
pete@petertodd.ca and
has a self-hosted IPv4 and IPv6 web site,
petertodd.ca.

Trending Topics

Upcoming Webinar

Getting Started with DevOps - Including New Data on IT Performance from Puppet Labs 2015 State of DevOps Report

August 27, 2015
12:00 PM CDT

DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code. It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.